Using Cloudflare SSL

I’m new to Cloudflare. Everything looks very simple but I am confused about SSL.

In the SSL / TLS section, there are edge certificate (universal ssl), client certificate and origin server.

Is Universal SSL a certificate as secure as let’s encrypte? Can I just use this certificate instead of let’s encrypte? Is it enough? Are there any differences? Or can both be used together?

Thank you.

You should definitely use both (Let’s Encrypt & Universal) together. Your server should have SSL/TLS for your site before you add it to Cloudflare in order for it to be secure.

1 Like

Thank you for the reply. So what exactly is the universal ssl task? Can’t SSL services in Cloudflare take the role of let’s encrypte? (for example origin server or client certificate)

Cloudflare can generate an origin certificate for the server housing a site that’s proxied by Cloudflare. But the proxy server itself also needs a certificate. That’s the Universal SSL certificate.

1 Like

If I got it right, universal SSL provides encryption between browser and cloudflare, while Let’s encrypte is between server and cloudflare. Cloudflare does not provide any additional protection for let’s encrypte.

Is it correct?

That’s exactly it.

In some sources I read, we had to buy a cloudflare pro plan to use certificates other than cloudflare ssl. Isn’t that necessary to use let’s encrypt?

You can always use Let’s Encrypt on your server. But, if for some reason, you want to use your own certificate on the proxy server for your visitors, you would need a Business Plan. But that’s rarely necessary.

So can I use cloudflare “origin server” certificate instead of let’s encrypt? Do I still need to enable universal ssl for this?

CF origin server certificate and let’s encrypte do the same thing. Is that so?

Hello, I connected my website with cloudflare and created a cloudflare origin ca certificate for my site. I added the certificate from Cpanel.

However, when I checked my site as https, I saw that the certificate was not working. (I checked with sslshopper too.)

Do I need to enable universal ssl as well?

What could be the problem?

Definitely. You need both.

2 Likes

Thank you for the link. So can I never use the origin ca certificate without enabling universal ssl?

There are two different connections that need to be secured. Client to Cloudflare, and Cloudflare to Origin. You need a different certificate for each. Universal works for the first connection, Origin CA for the second.

The Client to Cloudflare connection usually uses the Universal SSL Certificate. In certain situations you might have requirements that are not met by the Universal certificate, and Cloudflare offer Dedicated Certificates, Custom Certificates and ACM Certificates for those situations. But the Universal covers most requirements.

The Cloudflare to Origin needs a different certificate. This can be a cert from a normal Certificate Authority such as Let’s Encrypt, a self signed certificate, or a Cloudflare Origin Certificate. I like to use Let’s Encrypt certs, but Cloudflare Origin certs work well where you don’t want to manage the origin cert for the next 15 years.

1 Like

Thank you for your informative answer. This has been very useful.

If you don’t mind, I have one more question for you. Yeah, I’m let’s encrypt I chose to use cloudflare origin ca ssl instead. But how should I add subdomains in a single certificate key when creating the origin ssl certificate?

Or should I create a different certificate for my subdomains?

For example, is what I do in the visual correct?

*.example.com, example.com, de.example.com, www.de.example.com

Is there anything else I need to add?

de.example.com would be covered by *.example.com, so is redundant.

Universal certificates cover the root, and one level of subdomain (example.com and *.example.com). If you plan on using two levels of subdomain (like www.de.example.com), then the Universal certificate will not work. You can purchase Dedicated or ACM certificates from Cloudflare to do this, or on a Business or Enterprise plan you can upload a Custom certificate. Alternatively, come up with a plan that does not use multiple levels of subdomain (www.example.com/de/ or just de.example.com would be common solutions)

1 Like

I don’t think I need ssl on www.de.example.com but something caught my attention in cpanel;

Here I have some anxiety. Is this important?

Ok, no SSL to www.de.example.com.

So can I use “de.example.com” without any problem? (Free CF CDN and protection + CF Origin CA + Universal SSL) @michael

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.